<!DOCTYPE html>
<html lang="zh-CN">

<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
  <meta name="theme-color" content="#222">
  <meta name="generator" content="Hexo 5.4.0">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

  <link rel="stylesheet" href="/css/main.css">



  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.2/css/all.min.css">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css">

  <script class="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {
      "hostname": "holidaypenguin.gitee.io",
      "root": "/",
      "images": "/images",
      "scheme": "Mist",
      "version": "8.2.2",
      "exturl": false,
      "sidebar": {
        "position": "right",
        "display": "always",
        "padding": 18,
        "offset": 12
      },
      "copycode": true,
      "bookmark": {
        "enable": false,
        "color": "#222",
        "save": "auto"
      },
      "fancybox": false,
      "mediumzoom": false,
      "lazyload": false,
      "pangu": false,
      "comments": {
        "style": "tabs",
        "active": null,
        "storage": true,
        "lazyload": false,
        "nav": null
      },
      "motion": {
        "enable": true,
        "async": true,
        "transition": {
          "post_block": "fadeIn",
          "post_header": "fadeInDown",
          "post_body": "fadeInDown",
          "coll_header": "fadeInLeft",
          "sidebar": "slideUpIn"
        }
      },
      "prism": false,
      "i18n": {
        "placeholder": "搜索...",
        "empty": "没有找到任何搜索结果：${query}",
        "hits_time": "找到 ${hits} 个搜索结果（用时 ${time} 毫秒）",
        "hits": "找到 ${hits} 个搜索结果"
      },
      "path": "/search.xml",
      "localsearch": {
        "enable": true,
        "trigger": "auto",
        "top_n_per_article": 1,
        "unescape": false,
        "preload": false
      }
    };
  </script>
  <meta property="og:type" content="article">
  <meta property="og:title" content="记一次Chrome更新带来的登录Cookie问题">
  <meta property="og:url" content="https://holidaypenguin.gitee.io/blob/2021-06-28-remember-a-login-cookie-problem-caused-by-chrome-update/index.html">
  <meta property="og:site_name" content="HolidayPenguin">
  <meta property="og:locale" content="zh_CN">
  <meta property="og:image" content="https://visitor-badge.glitch.me/badge?page_id=holidaypenguin.gitee.io">
  <meta property="og:image" content="https://holidaypenguin.gitee.io/images/FrontEnd/0018.png">
  <meta property="og:image" content="https://holidaypenguin.gitee.io/images/FrontEnd/0019.jpg">
  <meta property="og:image" content="https://holidaypenguin.gitee.io/images/FrontEnd/0016.jpg">
  <meta property="og:image" content="https://holidaypenguin.gitee.io/images/FrontEnd/0017.jpg">
  <meta property="og:image" content="https://holidaypenguin.gitee.io/images/FrontEnd/0020.png">
  <meta property="og:image" content="https://holidaypenguin.gitee.io/images/FrontEnd/0021.png">
  <meta property="article:published_time" content="2021-06-28T09:40:56.000Z">
  <meta property="article:modified_time" content="2021-06-28T09:40:56.000Z">
  <meta property="article:author" content="holidaypenguin">
  <meta property="article:tag" content="FrontEnd">
  <meta property="article:tag" content="Cookie">
  <meta property="article:tag" content="same-site">
  <meta name="twitter:card" content="summary">
  <meta name="twitter:image" content="https://visitor-badge.glitch.me/badge?page_id=holidaypenguin.gitee.io">


  <link rel="canonical" href="https://holidaypenguin.gitee.io/blob/2021-06-28-remember-a-login-cookie-problem-caused-by-chrome-update/">


  <script class="page-configurations">
    // https://hexo.io/docs/variables.html
    CONFIG.page = {
      sidebar: "",
      isHome: false,
      isPost: true,
      lang: 'zh-CN'
    };
  </script>
  <title>记一次Chrome更新带来的登录Cookie问题 | HolidayPenguin</title>





  <noscript>
    <style>
      body {
        margin-top: 2rem;
      }

      .use-motion .menu-item,
      .use-motion .sidebar,
      .use-motion .post-block,
      .use-motion .pagination,
      .use-motion .comments,
      .use-motion .post-header,
      .use-motion .post-body,
      .use-motion .collection-header {
        visibility: visible;
      }

      .use-motion .header,
      .use-motion .site-brand-container .toggle,
      .use-motion .footer {
        opacity: initial;
      }

      .use-motion .site-title,
      .use-motion .site-subtitle,
      .use-motion .custom-logo-image {
        opacity: initial;
        top: initial;
      }

      .use-motion .logo-line {
        transform: scaleX(1);
      }

      .search-pop-overlay,
      .sidebar-nav {
        display: none;
      }

      .sidebar-panel {
        display: block;
      }
    </style>
  </noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner">
        <div class="site-brand-container">
          <div class="site-nav-toggle">
            <div class="toggle" aria-label="切换导航栏" role="button">
              <span class="toggle-line"></span>
              <span class="toggle-line"></span>
              <span class="toggle-line"></span>
            </div>
          </div>

          <div class="site-meta">

            <a href="/" class="brand" rel="start">
              <i class="logo-line"></i>
              <h1 class="site-title">HolidayPenguin</h1>
              <i class="logo-line"></i>
            </a>
          </div>

          <div class="site-nav-right">
            <div class="toggle popup-trigger">
              <i class="fa fa-search fa-fw fa-lg"></i>
            </div>
          </div>
        </div>



        <nav class="site-nav">
          <ul class="main-menu menu">
            <li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a></li>
            <li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a></li>
            <li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a></li>
            <li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li>
            <li class="menu-item menu-item-search">
              <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
              </a>
            </li>
          </ul>
        </nav>



        <div class="search-pop-overlay">
          <div class="popup search-popup">
            <div class="search-header">
              <span class="search-icon">
                <i class="fa fa-search"></i>
              </span>
              <div class="search-input-container">
                <input autocomplete="off" autocapitalize="off" maxlength="80" placeholder="搜索..." spellcheck="false" type="search" class="search-input">
              </div>
              <span class="popup-btn-close" role="button">
                <i class="fa fa-times-circle"></i>
              </span>
            </div>
            <div class="search-result-container no-result">
              <div class="search-result-icon">
                <i class="fa fa-spinner fa-pulse fa-5x"></i>
              </div>
            </div>

          </div>
        </div>

      </div>


      <div class="toggle sidebar-toggle" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
      </div>

      <aside class="sidebar">

        <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
          <ul class="sidebar-nav">
            <li class="sidebar-nav-toc">
              文章目录
            </li>
            <li class="sidebar-nav-overview">
              站点概览
            </li>
          </ul>

          <div class="sidebar-panel-container">
            <!--noindex-->
            <div class="post-toc-wrap sidebar-panel">
              <div class="post-toc animated">
                <ol class="nav">
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BA%8B%E4%BB%B6%E8%B5%B7%E5%9B%A0"><span class="nav-number">1.</span> <span class="nav-text">事件起因</span></a>
                    <ol class="nav-child">
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%8E%AF%E5%A2%83"><span class="nav-number">1.1.</span> <span class="nav-text">环境</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E9%97%AE%E9%A2%98"><span class="nav-number">1.2.</span> <span class="nav-text">问题</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%BB%93%E6%A1%88"><span class="nav-number">1.3.</span> <span class="nav-text">结案</span></a></li>
                    </ol>
                  </li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#Same-Site-%E7%9A%84%E6%A6%82%E5%BF%B5"><span class="nav-number">2.</span> <span class="nav-text">Same-Site 的概念</span></a></li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#Schemeful-Same-Site"><span class="nav-number">3.</span> <span class="nav-text">Schemeful Same-Site</span></a>
                    <ol class="nav-child">
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%B5%8F%E8%A7%88%E5%99%A8%E7%9B%B8%E5%85%B3%E8%AE%BE%E7%BD%AE"><span class="nav-number">3.1.</span> <span class="nav-text">浏览器相关设置</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%B8%B8%E8%A7%81%E7%9A%84%E8%B7%A8%E5%8D%8F%E8%AE%AE%E5%9C%BA%E6%99%AF"><span class="nav-number">3.2.</span> <span class="nav-text">常见的跨协议场景</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%AF%BC%E8%88%AA%E8%B7%B3%E8%BD%AC"><span class="nav-number">3.3.</span> <span class="nav-text">导航跳转</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%8A%A0%E8%BD%BD%E5%AD%90%E8%B5%84%E6%BA%90"><span class="nav-number">3.4.</span> <span class="nav-text">加载子资源</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#POST%E8%A1%A8%E5%8D%95%E6%8F%90%E4%BA%A4"><span class="nav-number">3.5.</span> <span class="nav-text">POST表单提交</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%A6%82%E4%BD%95%E5%9C%A8%E7%BD%91%E9%A1%B5%E4%B8%8A%E6%B5%8B%E8%AF%95"><span class="nav-number">3.6.</span> <span class="nav-text">如何在网页上测试</span></a></li>
                    </ol>
                  </li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#FAQ"><span class="nav-number">4.</span> <span class="nav-text">FAQ</span></a>
                    <ol class="nav-child">
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%88%91%E7%9A%84%E7%BD%91%E9%A1%B5%E5%B7%B2%E7%BB%8F%E4%BD%BF%E7%94%A8HTTPS%EF%BC%8C%E4%B8%BA%E4%BB%80%E4%B9%88%E8%BF%98%E4%BC%9A%E7%9C%8B%E5%88%B0issues%EF%BC%9F"><span class="nav-number">4.1.</span> <span class="nav-text">我的网页已经使用HTTPS，为什么还会看到issues？</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%A6%82%E6%9E%9C%E6%88%91%E6%97%A0%E6%B3%95%E5%8D%87%E7%BA%A7%E5%88%B0HTTPS"><span class="nav-number">4.2.</span> <span class="nav-text">如果我无法升级到HTTPS</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%A6%82%E6%9E%9Ccookies%E6%B2%A1%E6%9C%89%E8%AE%BE%E7%BD%AESameSite%E5%B1%9E%E6%80%A7%EF%BC%9F"><span class="nav-number">4.3.</span> <span class="nav-text">如果cookies没有设置SameSite属性？</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#WebSockets"><span class="nav-number">4.4.</span> <span class="nav-text">WebSockets</span></a></li>
                    </ol>
                  </li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%B8%B4%E6%97%B6%E8%A7%A3%E5%86%B3%E5%8A%9E%E6%B3%95"><span class="nav-number">5.</span> <span class="nav-text">临时解决办法</span></a></li>
                </ol>
                </li>
                <li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%8F%82%E8%80%83"><span class="nav-number"></span> <span class="nav-text">参考</span></a>
              </div>
            </div>
            <!--/noindex-->

            <div class="site-overview-wrap sidebar-panel">
              <div class="site-author site-overview-item animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
                <p class="site-author-name" itemprop="name">holidaypenguin</p>
                <div class="site-description" itemprop="description"></div>
              </div>
              <div class="site-state-wrap site-overview-item animated">
                <nav class="site-state">
                  <div class="site-state-item site-state-posts">
                    <a href="/archives/">

                      <span class="site-state-item-count">138</span>
                      <span class="site-state-item-name">日志</span>
                    </a>
                  </div>
                  <div class="site-state-item site-state-categories">
                    <a href="/categories/">

                      <span class="site-state-item-count">26</span>
                      <span class="site-state-item-name">分类</span></a>
                  </div>
                  <div class="site-state-item site-state-tags">
                    <a href="/tags/">

                      <span class="site-state-item-count">234</span>
                      <span class="site-state-item-name">标签</span></a>
                  </div>
                </nav>
              </div>
              <div class="links-of-author site-overview-item animated">
                <span class="links-of-author-item">
                  <a href="https://github.com/holidaypenguin" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;holidaypenguin" rel="noopener" target="_blank"><i class="github fa-fw"></i>GitHub</a>
                </span>
                <span class="links-of-author-item">
                  <a href="mailto:songshipeng2016@gmail.com" title="E-Mail → mailto:songshipeng2016@gmail.com" rel="noopener" target="_blank"><i class="envelope fa-fw"></i>E-Mail</a>
                </span>
              </div>



            </div>
          </div>
        </div>
      </aside>
      <div class="sidebar-dimmer"></div>


    </header>


    <div class="back-to-top" role="button">
      <i class="fa fa-arrow-up"></i>
      <span>0%</span>
    </div>

    <noscript>
      <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
    </noscript>


    <div class="main-inner post posts-expand">





      <div class="post-block">



        <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
          <link itemprop="mainEntityOfPage" href="https://holidaypenguin.gitee.io/blob/2021-06-28-remember-a-login-cookie-problem-caused-by-chrome-update/">

          <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
            <meta itemprop="image" content="/images/avatar.gif">
            <meta itemprop="name" content="holidaypenguin">
            <meta itemprop="description" content="">
          </span>

          <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
            <meta itemprop="name" content="HolidayPenguin">
          </span>
          <header class="post-header">
            <h1 class="post-title" itemprop="name headline">
              记一次Chrome更新带来的登录Cookie问题
            </h1>

            <div class="post-meta-container">
              <div class="post-meta">
                <span class="post-meta-item">
                  <span class="post-meta-item-icon">
                    <i class="far fa-calendar"></i>
                  </span>
                  <span class="post-meta-item-text">发表于</span>

                  <time title="创建时间：2021-06-28 17:40:56" itemprop="dateCreated datePublished" datetime="2021-06-28T17:40:56+08:00">2021-06-28</time>
                </span>
                <span class="post-meta-item">
                  <span class="post-meta-item-icon">
                    <i class="far fa-folder"></i>
                  </span>
                  <span class="post-meta-item-text">分类于</span>
                  <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                    <a href="/categories/FrontEnd/" itemprop="url" rel="index"><span itemprop="name">FrontEnd</span></a>
                  </span>
                </span>


                <span id="/blob/2021-06-28-remember-a-login-cookie-problem-caused-by-chrome-update/" class="post-meta-item leancloud_visitors" data-flag-title="记一次Chrome更新带来的登录Cookie问题" title="阅读次数">
                  <span class="post-meta-item-icon">
                    <i class="far fa-eye"></i>
                  </span>
                  <span class="post-meta-item-text">阅读次数：</span>
                  <span class="leancloud-visitors-count"></span>
                </span>
              </div>

              <div class="post-description">
                <!-- more -->
              </div>
            </div>
          </header>




          <div class="post-body" itemprop="articleBody">
            <p><a target="_blank" rel="noopener" href="https://github.com/jwenjian/visitor-count-badge"><img src="" data-original="https://visitor-badge.glitch.me/badge?page_id=holidaypenguin.gitee.io" alt="总访客数量"></a></p>
            <h2 id="事件起因"><a href="#事件起因" class="headerlink" title="事件起因"></a><strong>事件起因</strong></h2>
            <blockquote>
              <p>Migrate entirely to HTTPS to have cookies sent to same-site subresources</p>
            </blockquote>
            <h3 id="环境"><a href="#环境" class="headerlink" title="环境"></a><strong>环境</strong></h3>
            <p>首先介绍下基本信息：公司的某个业务系统是<code>h.xxx.com</code>，登录走的通过<code>iframe</code>嵌入的网页<code>passport.xxx.com</code>。</p>
            <p>本地开发环境下，业务系统只支持<code>http</code>协议，所以对应访问地址为<code>http://h.xxx.com</code>，登录接口始终是<code>https://passport.xxx.com</code>。</p>
            <p>这样就是一个跨协议的情况了。</p>
            <h3 id="问题"><a href="#问题" class="headerlink" title="问题"></a><strong>问题</strong></h3>
            <p>某一天，有同学登录系统后始终提示“你未登录，请先登录B站”，而且并不是所有人有该问题。</p>
            <p>经过一系列排查，发现唯一的区别只有<code>Chrome</code>浏览器版本不一致（使用部分其他浏览器也是没有问题的）。</p>
            <h3 id="结案"><a href="#结案" class="headerlink" title="结案"></a><strong>结案</strong></h3>
            <p>从<code>v88</code>升级到<code>v89</code>后，<code>Chrome</code>浏览器内置的<code>schemeful-same-site</code>规则默认值改为启用，导致跨协议也被认定为跨站(cross-site)，<code>cookies</code>无法传递。</p>
            <p>临时解决方案：地址栏打开<code>chrome://flags/#schemeful-same-site</code>，将选项设置为<code>Disabled</code>。</p>
            <blockquote>
              <p>在<code>Chrome 80</code>版本，<code>SameSite</code>的默认值被改为<code>Lax</code>。</p>
            </blockquote>
            <h2 id="Same-Site-的概念"><a href="#Same-Site-的概念" class="headerlink" title="Same-Site 的概念"></a><strong>Same-Site 的概念</strong></h2>
            <p><img src="" data-original="/images/FrontEnd/0018.png" alt="img"></p>
            <p><code>eTLD+1</code>部分一致就可以称之为<code>same-site</code>。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">scheme&#96;和&#96;eTLD+1&#96;部分一致则被称为&#96;schemeful same-site</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <p>下面是一些<code>schemeful same-site</code>的案例：</p>
            <table>
              <thead>
                <tr>
                  <th>Origin A</th>
                  <th>Origin B</th>
                  <th>schemeful same-site</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td><a target="_blank" rel="noopener" href="https://www.example.com/">https://www.example.com:443</a></td>
                  <td><a target="_blank" rel="noopener" href="https://www.evil.com/">https://www.evil.com:443</a></td>
                  <td>cross-site: 域名不同</td>
                </tr>
                <tr>
                  <td></td>
                  <td><a target="_blank" rel="noopener" href="https://login.example.com/">https://login.example.com:443</a></td>
                  <td>schemeful same-site: 允许子域名不同</td>
                </tr>
                <tr>
                  <td></td>
                  <td><a target="_blank" rel="noopener" href="http://www.example.com:443/">http://www.example.com:443</a></td>
                  <td>cross-site: 协议不同</td>
                </tr>
                <tr>
                  <td></td>
                  <td><a target="_blank" rel="noopener" href="https://www.example.com:80/">https://www.example.com:80</a></td>
                  <td>schemeful same-site: 允许端口不同</td>
                </tr>
                <tr>
                  <td></td>
                  <td><a target="_blank" rel="noopener" href="https://www.example.com/">https://www.example.com:443</a></td>
                  <td>schemeful same-site: 完全匹配</td>
                </tr>
                <tr>
                  <td></td>
                  <td><a target="_blank" rel="noopener" href="https://www.example.com/">https://www.example.com</a></td>
                  <td>schemeful same-site: 允许端口不同</td>
                </tr>
              </tbody>
            </table>
            <h2 id="Schemeful-Same-Site"><a href="#Schemeful-Same-Site" class="headerlink" title="Schemeful Same-Site"></a><strong>Schemeful Same-Site</strong></h2>
            <p><strong><a target="_blank" rel="noopener" href="https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html#rfc.section.3.3">Schemeful Same-Site</a></strong> 是 <code>same-site</code> 的进阶版，通过协议+域名两个维度来定义，如果想深入了解下，你可以浏览这篇文章：**<a target="_blank" rel="noopener" href="https://web.dev/same-site-same-origin/#%22schemeful-same-site%22">Understanding ‘same-site’ and ‘same-origin’</a>** 。</p>
            <blockquote>
              <p>这意味着 <a target="_blank" rel="noopener" href="http://website.example/">http://website.example</a> 和<a target="_blank" rel="noopener" href="https://website.example/">https://website.example</a> 相互之间是跨站(cross-site)的。</p>
            </blockquote>
            <p>如果你的网站已经全部使用<code>HTTPS</code>，那<code>Schemeful Same-Site</code>不会有任何影响，否则应该尽快升级到<code>HTTPS</code>。</p>
            <p>如果你的项目同时使用<code>HTTP</code>和<code>HTTPS</code>，那就很有必要了解相关规则，接下来将介绍一些场景以及与之对应的<code>cookie</code>行为。</p>
            <blockquote>
              <p>以前可以通过设置<code>SameSite=None; Secure</code>来允许<strong>跨协议</strong>的<code>cookies</code>传输，原作者建议不要使用这个临时解决方案，应该尽快全站部署<code>HTTPS</code>，事实上也确实是这样的，就像前文的登录问题，你永远不知道浏览器给你的下一个“惊喜”是什么。</p>
            </blockquote>
            <h3 id="浏览器相关设置"><a href="#浏览器相关设置" class="headerlink" title="浏览器相关设置"></a><strong>浏览器相关设置</strong></h3>
            <p><code>Chrome</code>和<code>Firefox</code>上提供了<code>schemeful-same-site</code>的配置入口。</p>
            <ul>
              <li><code>Chrome 86</code> 开始，修改<code>chrome://flags/#schemeful-same-site</code>选项为<code>Enabled</code>即是启用。</li>
              <li><code>Firefox 79</code> 开始，打开<code>about:config</code>修改 <code>network.cookie.sameSite.schemeful</code>选项为<code>true</code>。</li>
            </ul>
            <p>在以前的浏览器更新中，为了防止**<a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Glossary/CSRF">跨站请求伪造</a>**(CSRF)攻击，已经将<code>SameSite=Lax</code>设置为默认项。</p>
            <p>然而攻击者还是能通过不安全的<code>HTTP</code>协议篡改<code>cookies</code>，影响到也使用同样<code>cookies</code>的<code>HTTPS</code>页面。</p>
            <p><code>schemeful-same-site</code>也就应运而生。</p>
            <h3 id="常见的跨协议场景"><a href="#常见的跨协议场景" class="headerlink" title="常见的跨协议场景"></a><strong>常见的跨协议场景</strong></h3>
            <h3 id="导航跳转"><a href="#导航跳转" class="headerlink" title="导航跳转"></a><strong>导航跳转</strong></h3>
            <p>之前两个跨协议同域名的页面跳转是允许携带设为<code>SameSite=Strict</code>的<code>cookies</code>。</p>
            <p>现在不同协议被认定为跨站(cross-site)，所以设为<code>SameSite=Strict</code>的<code>cookies</code>就被阻挡了。</p>
            <p><img src="" data-original="/images/FrontEnd/0019.jpg" alt="img"></p>
            <table>
              <thead>
                <tr>
                  <th></th>
                  <th>HTTP → HTTPS</th>
                  <th>HTTPS → HTTP</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td>SameSite=Strict</td>
                  <td>⛔ Blocked</td>
                  <td>⛔ Blocked</td>
                </tr>
                <tr>
                  <td>SameSite=Lax</td>
                  <td>✅ Allowed</td>
                  <td>✅ Allowed</td>
                </tr>
                <tr>
                  <td>SameSite=None;Secure</td>
                  <td>✅ Allowed</td>
                  <td>⛔ Blocked</td>
                </tr>
              </tbody>
            </table>
            <h3 id="加载子资源"><a href="#加载子资源" class="headerlink" title="加载子资源"></a><strong>加载子资源</strong></h3>
            <blockquote>
              <p>主流浏览器都会阻止 **<a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-TW/docs/Web/Security/Mixed_content">active mixed content</a>**（主动型混合内容） ，如<code>scripts</code>、<code>iframe</code>。 <code>Chrome</code>和<code>Firefox</code>浏览器正在尝试升级或阻止<code>passive mixed content</code>(被动型混合内容)。</p>
            </blockquote>
            <p>子资源（<code>subresources</code>）包括图片，<code>iframes</code> 以及 <code>XHR</code>、<code>Fetch</code>请求</p>
            <p>之前如果一个页面加载了跨协议的资源，他们之间是可以共享设为<code>SameSite=Strict</code>、<code>SameSite=Lax</code>的<code>cookies</code>。</p>
            <p>然而现在两者统统被浏览器阻止，无法传输共享。</p>
            <p>另外即使<code>HTTPS</code>能够加载<code>HTTP</code>资源，所有的<code>cookies</code>还是会被阻止。</p>
            <p><img src="" data-original="/images/FrontEnd/0016.jpg" alt="img"></p>
            <table>
              <thead>
                <tr>
                  <th></th>
                  <th>HTTP → HTTPS</th>
                  <th>HTTPS → HTTP</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td>SameSite=Strict</td>
                  <td>⛔ Blocked</td>
                  <td>⛔ Blocked</td>
                </tr>
                <tr>
                  <td>SameSite=Lax</td>
                  <td>⛔ Blocked</td>
                  <td>⛔ Blocked</td>
                </tr>
                <tr>
                  <td>SameSite=None;Secure</td>
                  <td>✅ Allowed</td>
                  <td>⛔ Blocked</td>
                </tr>
              </tbody>
            </table>
            <h3 id="POST表单提交"><a href="#POST表单提交" class="headerlink" title="POST表单提交"></a><strong>POST表单提交</strong></h3>
            <p>以前跨协议的<code>POST</code>请求是可以携带设为<code>SameSite=Lax</code>或<code>SameSite=Strict</code>的<code>cookies</code>。</p>
            <p>现在只有设置为<code>SameSite=None</code>的<code>cookies</code>可以在表单请求时被发送。</p>
            <p><img src="" data-original="/images/FrontEnd/0017.jpg" alt="img"></p>
            <table>
              <thead>
                <tr>
                  <th></th>
                  <th>HTTP → HTTPS</th>
                  <th>HTTPS → HTTP</th>
                </tr>
              </thead>
              <tbody>
                <tr>
                  <td>SameSite=Strict</td>
                  <td>⛔ Blocked</td>
                  <td>⛔ Blocked</td>
                </tr>
                <tr>
                  <td>SameSite=Lax</td>
                  <td>⛔ Blocked</td>
                  <td>⛔ Blocked</td>
                </tr>
                <tr>
                  <td>SameSite=None;Secure</td>
                  <td>✅ Allowed</td>
                  <td>⛔ Blocked</td>
                </tr>
              </tbody>
            </table>
            <h3 id="如何在网页上测试"><a href="#如何在网页上测试" class="headerlink" title="如何在网页上测试"></a><strong>如何在网页上测试</strong></h3>
            <p><code>Chrome</code>和<code>Firefox</code>上的开发者工具都已经支持相关配置，并且会在控制台给出提示。</p>
            <p><code>Chrome 86</code>版本开始，<code>DevTools-&gt;Issue</code>显示关于<code>Schemeful Same-Site</code>的高亮提示。</p>
            <p><code>Navigation issues</code>:</p>
            <ul>
              <li>“Migrate entirely to HTTPS to continue having cookies sent on same-site requests”—A warning that the cookie will be blocked in a future version of Chrome.</li>
              <li>“Migrate entirely to HTTPS to have cookies sent on same-site requests”—A warning that the cookie has been blocked.</li>
            </ul>
            <p>子资源加载<code>issues</code>：</p>
            <ul>
              <li>“Migrate entirely to HTTPS to continue having cookies sent to same-site subresources” or “Migrate entirely to HTTPS to continue allowing cookies to be set by same-site subresources”—Warnings that the cookie will be blocked in a future version of Chrome.</li>
              <li>“Migrate entirely to HTTPS to have cookies sent to same-site subresources” or “Migrate entirely to HTTPS to allow cookies to be set by same-site subresources”—Warnings that the cookie has been blocked. The latter warning can also appear when POSTing a form.</li>
            </ul>
            <p>详情可以阅读 **<a target="_blank" rel="noopener" href="https://www.chromium.org/updates/schemeful-same-site/testing-and-debugging-tips-for-schemeful-same-site">Testing and Debugging Tips for Schemeful Same-Site</a>**。</p>
            <p><code>Firefox</code> 79版本开始，<code>network.cookie.sameSite.schemeful</code>设置为<code>true</code>后，控制台也会呈现相关信息：</p>
            <ul>
              <li>“Cookie cookie_name will be soon treated as cross-site cookie against <a target="_blank" rel="noopener" href="http://site.example/">http://site.example/</a> because the scheme does not match.”</li>
              <li>“Cookie cookie_name has been treated as cross-site against <a target="_blank" rel="noopener" href="http://site.example/">http://site.example/</a> because the scheme does not match.”</li>
            </ul>
            <h2 id="FAQ"><a href="#FAQ" class="headerlink" title="FAQ"></a><strong>FAQ</strong></h2>
            <h3 id="我的网页已经使用HTTPS，为什么还会看到issues？"><a href="#我的网页已经使用HTTPS，为什么还会看到issues？" class="headerlink" title="我的网页已经使用HTTPS，为什么还会看到issues？"></a><strong>我的网页已经使用<code>HTTPS</code>，为什么还会看到<code>issues</code>？</strong></h3>
            <p>很可能是网页内的一些链接或资源还是指向不安全的地址。</p>
            <p>其中一个解决办法就是使用 <strong><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Strict-Transport-Security">HTTP Strict-Transport-Security</a></strong> (HSTS) + <code>includeSubDomain</code>。</p>
            <p>使用 <code>HSTS</code> + <code>includeSubDomain</code> 方案之后，即便你的页面里还存在不安全的链接，浏览器会自动替换安全的协议访问。</p>
            <h3 id="如果我无法升级到HTTPS"><a href="#如果我无法升级到HTTPS" class="headerlink" title="如果我无法升级到HTTPS"></a><strong>如果我无法升级到HTTPS</strong></h3>
            <p>可以调整<code>SameSite</code>的设置，放宽限制。</p>
            <ul>
              <li>只有<code>SameSite=Strict</code>的<code>cookies</code>被阻止时，你可以调整为<code>SameSite=Lax</code></li>
              <li>设置为<code>Strict</code>或<code>Lax</code>的<code>cookies</code>均被阻止，同时<code>cookies</code>是发送到安全<code>URL</code>的，把设置为<code>None</code>后就可以生效。</li>
            </ul>
            <h3 id="如果cookies没有设置SameSite属性？"><a href="#如果cookies没有设置SameSite属性？" class="headerlink" title="如果cookies没有设置SameSite属性？"></a><strong>如果<code>cookies</code>没有设置<code>SameSite</code>属性？</strong></h3>
            <p>没有<code>SameSite</code>属性的<code>cookies</code>，会被当成<code>SameSite=Lax</code>处理。</p>
            <h3 id="WebSockets"><a href="#WebSockets" class="headerlink" title="WebSockets"></a><strong>WebSockets</strong></h3>
            <p>Same-site:</p>
            <ul>
              <li><code>wss://</code> connection from <code>https://</code></li>
              <li><code>ws://</code> connection from <code>http://</code></li>
            </ul>
            <p>Cross-site:</p>
            <ul>
              <li><code>wss://</code> connection from <code>http://</code></li>
              <li><code>ws://</code> connection from <code>https://</code></li>
            </ul>
            <p>本文主要内容来自：</p>
            <p><a target="_blank" rel="noopener" href="https://web.dev/schemeful-samesite/">Schemeful Same-Siteweb.dev</a></p>
            <h2 id="临时解决办法"><a href="#临时解决办法" class="headerlink" title="临时解决办法"></a>临时解决办法</h2>
            <p>Chrome浏览器打开新标签页，地址栏中分别输入</p>
            <ul>
              <li>chrome://flags/#same-site-by-default-cookies</li>
              <li>chrome://flags/#cookies-without-same-site-must-be-secure</li>
            </ul>
            <p><img src="" data-original="/images/FrontEnd/0020.png" alt="img"><br><img src="" data-original="/images/FrontEnd/0021.png" alt="img"></p>
            <h1 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h1>
            <p><a target="_blank" rel="noopener" href="https://zhuanlan.zhihu.com/p/359641832">https://zhuanlan.zhihu.com/p/359641832</a><br><a target="_blank" rel="noopener" href="https://blog.csdn.net/yhyc812/article/details/108623844">https://blog.csdn.net/yhyc812/article/details/108623844</a></p>

          </div>





          <footer class="post-footer">
            <div class="post-tags">
              <a href="/tags/FrontEnd/" rel="tag"># FrontEnd</a>
              <a href="/tags/Cookie/" rel="tag"># Cookie</a>
              <a href="/tags/same-site/" rel="tag"># same-site</a>
            </div>



            <div class="post-nav">
              <div class="post-nav-item">
                <a href="/blob/2021-06-11-using-promise-to-realize-concurrency-control/" rel="prev" title="使用promise实现并发控制">
                  <i class="fa fa-chevron-left"></i> 使用promise实现并发控制
                </a>
              </div>
              <div class="post-nav-item">
                <a href="/blob/2021-06-29-webpack-optimization-doubles-your-build-efficiency/" rel="next" title="Webpack优化 将你的构建效率提速翻倍">
                  Webpack优化 将你的构建效率提速翻倍 <i class="fa fa-chevron-right"></i>
                </a>
              </div>
            </div>
          </footer>
        </article>
      </div>







      <script>
        window.addEventListener('tabs:register', () => {
          let {
            activeClass
          } = CONFIG.comments;
          if (CONFIG.comments.storage) {
            activeClass = localStorage.getItem('comments_active') || activeClass;
          }
          if (activeClass) {
            const activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
            if (activeTab) {
              activeTab.click();
            }
          }
        });
        if (CONFIG.comments.storage) {
          window.addEventListener('tabs:click', event => {
            if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
            const commentClass = event.target.classList[1];
            localStorage.setItem('comments_active', commentClass);
          });
        }
      </script>
    </div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


      <div class="copyright">
        &copy;
        <span itemprop="copyrightYear">2021</span>
        <span class="with-love">
          <i class="fa fa-heart"></i>
        </span>
        <span class="author" itemprop="copyrightHolder">holidaypenguin</span>
      </div>
      <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/mist/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
      </div>

    </div>
  </footer>


  <script size="300" alpha="0.1" zIndex="-1" src="https://cdn.jsdelivr.net/npm/ribbon.js@1.0.2/dist/ribbon.min.js"></script>
  <script src="https://cdn.jsdelivr.net/npm/animejs@3.2.1/lib/anime.min.js"></script>
  <script src="/js/love.js"></script>

  <script src="/js/development.js"></script>
  <script src="/js/utils.js"></script>
  <script src="/js/motion.js"></script>
  <script src="/js/schemes/muse.js"></script>
  <script src="/js/next-boot.js"></script>


  <script src="/js/local-search.js"></script>









  <script>
    (function() {
      function leancloudSelector(url) {
        url = encodeURI(url);
        return document.getElementById(url).querySelector('.leancloud-visitors-count');
      }

      function addCount(Counter) {
        const visitors = document.querySelector('.leancloud_visitors');
        const url = decodeURI(visitors.id);
        const title = visitors.dataset.flagTitle;

        Counter('get', '/classes/Counter?where=' + encodeURIComponent(JSON.stringify({
            url
          })))
          .then(response => response.json())
          .then(({
            results
          }) => {
            if (results.length > 0) {
              const counter = results[0];
              leancloudSelector(url).innerText = counter.time + 1;
              Counter('put', '/classes/Counter/' + counter.objectId, {
                  time: {
                    '__op': 'Increment',
                    'amount': 1
                  }
                })
                .catch(error => {
                  console.error('Failed to save visitor count', error);
                });
            } else {
              Counter('post', '/classes/Counter', {
                  title,
                  url,
                  time: 1
                })
                .then(response => response.json())
                .then(() => {
                  leancloudSelector(url).innerText = 1;
                })
                .catch(error => {
                  console.error('Failed to create', error);
                });
            }
          })
          .catch(error => {
            console.error('LeanCloud Counter Error', error);
          });
      }

      function showTime(Counter) {
        const visitors = document.querySelectorAll('.leancloud_visitors');
        const entries = [...visitors].map(element => {
          return decodeURI(element.id);
        });

        Counter('get', '/classes/Counter?where=' + encodeURIComponent(JSON.stringify({
            url: {
              '$in': entries
            }
          })))
          .then(response => response.json())
          .then(({
            results
          }) => {
            for (let url of entries) {
              const target = results.find(item => item.url === url);
              leancloudSelector(url).innerText = target ? target.time : 0;
            }
          })
          .catch(error => {
            console.error('LeanCloud Counter Error', error);
          });
      }

      const {
        app_id,
        app_key,
        server_url
      } = {
        "enable": true,
        "app_id": "povuqNsSqFodlakVIwtEX5kb-gzGzoHsz",
        "app_key": "zXD40RDtDB3DMtpC89k0AK7g",
        "server_url": null,
        "security": false
      };

      function fetchData(api_server) {
        const Counter = (method, url, data) => {
          return fetch(`${api_server}/1.1${url}`, {
            method,
            headers: {
              'X-LC-Id': app_id,
              'X-LC-Key': app_key,
              'Content-Type': 'application/json',
            },
            body: JSON.stringify(data)
          });
        };
        if (CONFIG.page.isPost) {
          if (CONFIG.hostname !== location.hostname) return;
          addCount(Counter);
        } else if (document.querySelectorAll('.post-title-link').length >= 1) {
          showTime(Counter);
        }
      }

      const api_server = app_id.slice(-9) === '-MdYXbMMI' ? `https://${app_id.slice(0, 8).toLowerCase()}.api.lncldglobal.com` : server_url;

      if (api_server) {
        fetchData(api_server);
      } else {
        fetch('https://app-router.leancloud.cn/2/route?appId=' + app_id)
          .then(response => response.json())
          .then(({
            api_server
          }) => {
            fetchData('https://' + api_server);
          });
      }
    })();
  </script>



<script>
            window.imageLazyLoadSetting = {
                isSPA: false,
                preloadRatio: 1,
                processImages: null,
            };
        </script><script>window.addEventListener("load",function(){var t=/\.(gif|jpg|jpeg|tiff|png)$/i,r=/^data:image\/[a-z]+;base64,/;Array.prototype.slice.call(document.querySelectorAll("img[data-original]")).forEach(function(a){var e=a.parentNode;"A"===e.tagName&&(e.href.match(t)||e.href.match(r))&&(e.href=a.dataset.original)})});</script><script>!function(n){n.imageLazyLoadSetting.processImages=o;var e=n.imageLazyLoadSetting.isSPA,i=n.imageLazyLoadSetting.preloadRatio||1,r=Array.prototype.slice.call(document.querySelectorAll("img[data-original]"));function o(){e&&(r=Array.prototype.slice.call(document.querySelectorAll("img[data-original]")));for(var t,a=0;a<r.length;a++)0<=(t=(t=r[a]).getBoundingClientRect()).bottom&&0<=t.left&&t.top<=(n.innerHeight*i||document.documentElement.clientHeight*i)&&function(){var t,e,n,i,o=r[a];t=o,e=function(){r=r.filter(function(t){return o!==t})},n=new Image,i=t.getAttribute("data-original"),n.onload=function(){t.src=i,e&&e()},t.src!==i&&(n.src=i)}()}o(),n.addEventListener("scroll",function(){var t,e;t=o,e=n,clearTimeout(t.tId),t.tId=setTimeout(function(){t.call(e)},500)})}(this);</script></body>

</html>